216.73.217.50

CVE-2026-43640

· Published 11/05/2026 18:16 · Modified 11/05/2026 18:16

Labels: CVE-2026-43640 2026-05-11CVE-2026-43640CWE-303[email protected]

Essential information

Published
11/05/2026 18:16
Modified
11/05/2026 18:16
Author
Creator
CVSS
8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
bitwarden / bitwarden server cpe:2.3:a:bitwarden:bitwarden_server:<2026.4.1:*:*:*:*:*:*:*

References